Aaron St. Clair wrote this guide... worked on a machine in my fleet.
Remove Latest FBI MoneyPak Virus Despite Safe Mode Forced Restart
The FBI MoneyPak virus has been around for a while now and has had one of the highest infection rates to date. When it originally hit computers around the world, removal of the virus was very simple through safe mode. Although the latest version of FBI MoneyPak forces reboot when in safe mode, following these steps will clear your system of the malware.
The FBI MoneyPak virus is famous for scaring users into believing they have been accused of watching illegal content online.
Attention: Your computer has been locked. Your PC is blocked due to at least one of the reasons specified below…
The original virus would infect the ctfmon.exe system file which is often executed as a startup program. The original fix was to simply boot the computer into safe mode and remove ctfmon from the startup programs, then the computer could be booted and scanned for viruses. FBI MoneyPak 2.0 (as I call it) has hit the streets and now forces your computer to restart upon booting into safe mode. Originally I thought the only fix would be to hook the hard drive up to a different machine to perform the removal. However, I have managed to trick the virus once again and through these directions you can remove the virus safely.
1. Though the new FBI MoneyPak virus shuts down safe mode, it cannot shut down “Safe Mode with Command Prompt” as no programs can be started on startup with this option. Booting into “Safe Mode with Command Prompt” can be different per system, but the most common method is to tap the F8 key repeatedly as soon as you power your computer on. You may hear beeping or see “Keyboard Failure” displayed on the screen, but pay no mind to these warnings. Your computer should never make it to the boot screen for Windows, but should display a screen with options including “Safe Mode”, “Safe Mode with Networking”, “Safe Mode with Command Prompt”, “Repair your Computer”, etc. You need to select the “Safe Mode with Command Prompt” option and then hit the Enter key. This will boot the computer with minimal drivers, and no startup programs will run except cmd.exe.
2. In order to run the appropriate files needed, you may first need to know how to navigate around the command prompt. (NOTE: Many systems default to the appropriate WINDOWS/System32/ directory, but I have seen a few that do not. I’ve yet to determine what causes this default directory not to be loaded, so if yours isn’t in the directory, read on.) The directory you need to browse to is C:/WINDOWS/System32/. If you do not see this file path displayed in the command prompt then you will need to manually change to that directory. To do so, type “cd ..” until you only see “<C:/>” displayed as the current file path. The “cd ..” command is “Change Directory” and the “..” means go up one directory. Once you’re at <C:/> you need to change directory down, into Windows, and then into System32. To do so, type “cd WINDOWS”, and then “cd System32″. You should now see “<C:/WINDOWS/System32>” displayed as your current directory.
3. The file you need to run is “control.exe” which will launch the Control Panel. To do so, simply type “control.exe” and hit enter. It may take a few seconds to initiate the Control Panel, as GUI based applications generally are not started from this Command Prompt view. Once the Control Panel is open, navigate to User Accounts.
4. The overall objective is to create a new temporary user account to perform the virus removal. In the User Accounts window, click Manage Another User or Create New User. One of these two should give you an option to setup a new user account. The new user MUST be set to an Administrator. Once you have created the user account, ensure that it shows up in User Accounts before closing the window. Once you’ve done all this and verified that the account showed up in User Accounts, you can restart your computer. This time do not tap F8; instead, let the computer boot as it normally would.
5. If your computer boots directly into your user account by default, you may find yourself stuck again at the FBI MoneyPak screen. The objective is to log into the other user account, and the virus allows this, but it can be tricky to do. If you are presented with a window where you can select the new user account that you made then skip to step 6. There are two ways to get back to the login screen while at the MoneyPak screen. On all Windows platforms the key combination winkey+L will send you to the login screen. The Winkey button is the one between Ctrl and Alt keys. If you’re running Windows Vista/7/8 then you have an alternate path. Pressing Ctrl+Alt+Delete should present you with the Windows Lock Screen with the option to Switch User. Clicking Switch User should bring you to the Login screen.
6. Log into the new user account that you created in Safe Mode. You will probably see a couple screens helping you setup your new user account. After that you will be presented with a clean desktop and be able to browse around and use the computer as a new user. This account is just temporary, so do not worry if it does not appear as your normal desktop. Open a web browser and download Malwarebytes Anti-Malware. The software is excellent and you should consider purchasing it. The free version, however, will remove the virus. Download and install the program. Once it has finished installing it may need to restart the PC. After the restart you may have to repeat step 5 again to get back to your new temporary user account.
7. After you enter your temporary account after the reboot, run malwarebytes and allow it to check for updates. If it does not do so automatically, click the Update tab in the user interface and then the Check for Updates button. Now, go back to the Scanner tab and click Perform Full Scan. Quick Scan usually removes the current version of the MonkeyPak virus, but it is always better to be safe than sorry with the full scan. The scan can take anywhere from 10 minutes to 5 hours depending on the speed of your system’s hardware. Once the scan is complete, you must click the Show Results button in the lower right-hand corner of Malwarebytes. This will bring you to a new screen with a list of all infections found. Check the check box to the left of every item in the list, then click Remove Selected. You will be prompted to restart your computer. The infected files will not be removed until you restart.
8. Once the computer boots back up, your regular user account should be in proper working order. You can now go back to Control Panel then User Accounts and remove the temporary user account created.